More security stuff

Because I am in that sort of mood tonight I started looking at other log files to see what kinda crap I could find.

So it appears that the iPhone has a bug where it seems to like to send the Userid and Password for Websites that you log in to as a referring link if you click on an outside link from inside an protected place.  Say what?  Well let me explain some more:

Say I set up a password protected web site that uses an htaccess style password protection. I then go to that web site, say http://somecoolsite.com/protected. If the userid and password is stored or used in the URL, say I had the user id of unixwiz and my password was IamCool, and I went to the web site with http://unixwiz:[email protected]/protected… Once inside the protected site, I then click on a link to some external site, for example http://mycoolsite.com, the iPhone is sending the refering URL as http://unixwiz:[email protected]/protected/ .. Which you guessed it, shows up on mycoolsite.com’s access log if they have referrer logging set up, or are doing anything that captures referr data. I would be interested in seeing if it still does it if you are prompted to enter your username and password and not save it.  How cool is that, with the amount of people using iPhone’s now, wonder how many people are looking at the logs to see this sort of data….

FWIW